If you want to learn cybersecurity through hands-on practice, OverTheWire wargames offer one of the best free resources available today. These browser-based challenges teach you essential hacking skills through progressive, game-like exercises that start simple and gradually increase in difficulty. Whether you are completely new to security or looking to sharpen your command-line skills, OverTheWire provides a safe, legal environment to learn.
In this complete guide, you will learn what OverTheWire is, explore every wargame the platform offers, and discover how to get started with your first challenge. By the end, you will have a clear learning path to build real cybersecurity skills in 2026.
What is OverTheWire?
OverTheWire is a free online platform that hosts a collection of wargames designed to teach security concepts through practical challenges. Unlike traditional courses that focus on theory, OverTheWire drops you directly into a Linux terminal where you must solve puzzles to progress.
Each wargame consists of multiple levels. To advance from one level to the next, you must find the password hidden somewhere in the system. This might involve reading files, analyzing permissions, decoding encrypted messages, or exploiting vulnerable programs.
The platform has been a staple in the cybersecurity community for years, helping thousands of beginners transition from curious learners to skilled practitioners. Many professional penetration testers credit OverTheWire as the place where they first learned to think like a hacker.
Why Wargames Work for Learning
Wargames provide something that books and videos cannot: immediate feedback. When you solve a level, you know it works because the password grants you access to the next challenge. When you fail, you can experiment without consequences. This trial-and-error approach builds problem-solving skills that transfer directly to real-world security work.
The gamified structure also keeps you motivated. Each solved level gives you a sense of accomplishment, pushing you to tackle the next challenge. Before you know it, you have spent hours learning without it feeling like work.
Why OverTheWire is Perfect for Beginners
Many aspiring hackers struggle to find a starting point. The field seems overwhelming, with countless tools, techniques, and specializations to choose from. OverTheWire solves this problem by providing a structured learning path that assumes no prior knowledge.
Zero Setup Required
You do not need to install anything to start. All challenges run on remote servers that you access through SSH (Secure Shell), a standard tool for connecting to remote computers. If you use Linux or macOS, SSH comes pre-installed. Windows users can use the built-in OpenSSH client or download PuTTY.
Progressive Difficulty
The Bandit wargame, which serves as the entry point, starts with basic commands like ls to list files and cat to read file contents. By the final levels, you work with more advanced concepts like network connections, custom scripts, and environment manipulation. This gradual progression ensures you never feel completely lost.
Safe and Legal Practice
Everything on OverTheWire is designed for learning. You have explicit permission to probe, explore, and attempt to break things. This removes the legal gray areas that can make self-study risky. You can experiment freely knowing you are in a controlled environment.
If you are just starting your cybersecurity journey, check out our CTF for beginners guide to understand how capture-the-flag challenges fit into your learning path.
Complete List of OverTheWire Wargames
OverTheWire hosts multiple wargames, each focusing on different security topics. Here is a breakdown of every available challenge and what you will learn from each.
Bandit (Beginner)
Bandit is where everyone should start. This wargame teaches Linux fundamentals through 34 progressive levels. You will learn essential commands for navigating the file system, reading files, managing permissions, and connecting to remote services.
Key skills covered:
- Basic Linux commands (ls, cd, cat, file, find)
- File permissions and ownership
- SSH connections and key-based authentication
- Text processing with grep, sort, and uniq
- Working with compressed and encoded files
- Basic networking with netcat
- Git version control basics
Leviathan (Beginner to Intermediate)
After completing Bandit, Leviathan introduces binary analysis. This short wargame has only 8 levels but teaches you to examine compiled programs, understand how they work, and identify vulnerabilities without having access to the source code.
Natas (Web Security)
Natas shifts focus to web application security. Each level presents a vulnerable website where you must find a way to access the password for the next level. Topics include:
- Source code inspection
- HTTP headers and cookies
- Directory traversal attacks
- SQL injection basics
- Server-side template vulnerabilities
- Race conditions
Web security is one of the most in-demand skills in the industry. Our web attacks course provides additional hands-on practice with these techniques.
Krypton (Cryptography)
Krypton covers classical cryptography and cipher breaking. You will work with Caesar ciphers, substitution ciphers, and frequency analysis. While these techniques might seem old-fashioned, they build the analytical thinking needed for modern cryptographic analysis.
If you enjoy these challenges, practicing with additional cipher puzzles will help solidify your skills.
Narnia (Binary Exploitation Introduction)
Narnia introduces buffer overflows and memory corruption vulnerabilities. You will learn how programs store data in memory and how attackers can manipulate this behavior to take control of a system. This is where things start getting serious.
Behemoth (Intermediate Binary Exploitation)
Building on Narnia, Behemoth presents more complex binary exploitation challenges. You will work with return-oriented programming (ROP), format string vulnerabilities, and other advanced techniques.
Utumno (Advanced)
Utumno increases the difficulty further, requiring deep understanding of Linux internals and exploitation techniques. This wargame is best attempted after completing the previous binary exploitation challenges.
Maze (Advanced)
Maze focuses on advanced binary exploitation with minimal hints. These challenges test your ability to analyze complex programs and develop custom exploits.
Additional Wargames
OverTheWire also hosts Vortex, Manpage, Drifter, and FormulaOne. These wargames cover specialized topics and are best tackled after completing the core progression.
Getting Started with Bandit: Step-by-Step Guide
Ready to begin? Here is exactly how to start your OverTheWire journey with the Bandit wargame.
Step 1: Open Your Terminal
On Linux or macOS, open the Terminal application. On Windows 10 or later, you can use Windows Terminal or PowerShell with OpenSSH enabled.
Step 2: Connect to Level 0
Type the following command to connect to the Bandit server:
ssh bandit0@bandit.labs.overthewire.org -p 2220When prompted for a password, enter bandit0. The username and password for level 0 are both "bandit0".
Step 3: Read the Level Instructions
Visit the official Bandit page to read the objective for each level. The website provides hints about which commands you might need but never gives away the solution directly.
Step 4: Find the Password
For level 0, the goal is to find the password for level 1. According to the instructions, it is stored in a file called "readme" in the home directory. Use ls to list files and cat readme to display the contents.
Step 5: Progress to the Next Level
Once you have the password, exit the current session by typing exit or pressing Ctrl+D. Then connect as the next user:
ssh bandit1@bandit.labs.overthewire.org -p 2220Enter the password you found in level 0.
Important Tip: Save Your Passwords
OverTheWire does not save your progress. If you close your terminal and come back later, you need the password for your current level to resume. Keep a text file or use a password manager to track your progress.
Tips for Success in OverTheWire Challenges
After helping countless beginners through these wargames, we have identified strategies that make the learning process smoother and more effective.
Use Man Pages
When you encounter an unfamiliar command, type man commandname to read the manual. For example, man grep explains all the options for the grep command. Learning to read documentation is a critical skill for any security professional.
Take Notes
Write down commands that work, techniques you discover, and anything that surprises you. These notes become a personal reference that helps you solve future challenges faster.
Struggle Before Seeking Help
The learning happens when you struggle. Spend at least 30 minutes on a level before looking for hints. The frustration you feel while stuck transforms into understanding when you finally solve the puzzle.
Avoid Full Walkthroughs
Reading a complete walkthrough removes all the learning value. If you must seek help, look for hints that point you in the right direction rather than solutions that give everything away.
Learn the Unix Philosophy
Many levels can be solved by combining simple commands with pipes. Understanding how to chain commands together, for example cat file | grep pattern | sort | uniq, opens up powerful possibilities.
Practice Command Variations
Most commands have dozens of options. When you learn a new command, experiment with different flags to understand its full capabilities. The find command alone has options for searching by name, size, permissions, modification time, and much more.
OverTheWire vs Other CTF Platforms
How does OverTheWire compare to other popular learning platforms? Each has its strengths, and understanding the differences helps you choose the right resource for your current skill level.
OverTheWire vs TryHackMe
TryHackMe provides a more guided experience with rooms that include detailed explanations and step-by-step instructions. OverTheWire offers minimal guidance, forcing you to figure things out independently. For absolute beginners who want more hand-holding, TryHackMe might be easier to start with. For those who prefer learning by doing, OverTheWire builds stronger problem-solving skills.
Learn more about these platforms in our TryHackMe vs Hack The Box comparison.
OverTheWire vs Hack The Box
Hack The Box focuses on realistic machine exploitation, simulating actual penetration tests. OverTheWire concentrates on foundational skills. Most security professionals recommend starting with OverTheWire to build command-line proficiency before tackling Hack The Box machines.
OverTheWire vs PicoCTF
PicoCTF, run by Carnegie Mellon University, offers beginner-friendly CTF challenges with a focus on competition. OverTheWire provides a more permanent, always-available training ground. Both are excellent and complement each other well.
The Recommended Path
For most beginners, we recommend: OverTheWire Bandit first, then PicoCTF for competition experience, then TryHackMe for guided learning, and finally Hack The Box for realistic challenges.
Your Learning Path Beyond Bandit
After completing Bandit, you have several paths to consider based on your interests.
Path 1: Web Security Focus
Move to Natas to learn web application attacks. Focus on identifying common vulnerabilities like SQL injection and cross-site scripting in web applications.
Path 2: Binary Exploitation Focus
Progress through Leviathan, Narnia, Behemoth, and Utumno in order. This path requires patience but builds highly specialized skills valued in malware analysis and vulnerability research.
Path 3: Cryptography Focus
Complete Krypton to understand classical ciphers, then explore modern cryptographic implementations. Understanding how encryption can be broken helps you implement it correctly in your own projects.
Path 4: General Security Practitioner
Sample challenges from multiple wargames to build broad knowledge. This path works well for those pursuing careers as SOC analysts or general security consultants who need familiarity with many attack types.
For structured learning, explore our ethical hacking course which covers these topics in depth.
Ethics and Legal Considerations
While OverTheWire provides a legal environment for learning, the skills you develop can be used for both good and harm. Understanding the ethical boundaries is essential for any aspiring security professional.
Only Attack Authorized Systems
The techniques you learn, such as exploiting buffer overflows or finding hidden files, work on real systems too. Never use these skills against computers you do not own or have explicit written permission to test. Unauthorized access to computer systems is a serious crime in virtually every jurisdiction.
Disclosure Responsibilities
If you discover a vulnerability in a real system, follow responsible disclosure practices. Report issues to the affected organization and give them time to fix the problem before making it public. Many companies have bug bounty programs that reward security researchers for finding and reporting vulnerabilities.
Building a Career Ethically
The cybersecurity industry values trust above all else. Your reputation matters more than any technical skill. Always choose the ethical path, even when no one is watching. The community is smaller than you might think, and word travels fast.
Conclusion
OverTheWire wargames remain one of the most effective free resources for learning cybersecurity fundamentals. Starting with Bandit and progressing through more advanced challenges, you will build practical skills that directly translate to real-world security work.
The key to success is consistent practice. Set aside regular time to work through levels, take detailed notes, and resist the urge to look up solutions immediately. The struggle is where learning happens.
Ready to begin? Open your terminal, connect to Bandit level 0, and start your journey into the world of ethical hacking. Every expert was once a beginner, and OverTheWire has launched countless successful cybersecurity careers.
For more hands-on practice, explore the HackerDNA challenge labs where you can apply the skills you learn in OverTheWire to additional security scenarios.